Red Hat Bugzilla – Bug 1364993
MS-KKDCP with TLS SNI requires HTTP Host header
Last modified: 2016-11-03 16:26:17 EDT
Description of problem: When IPA client is configured with KKDCP, kinit fails with error [root@ipaclient73kdc2 /]# KRB5_TRACE=/dev/stdout kinit mytestuser@TESTRELM.TEST [8719] 1470629617.922276: Getting initial credentials for mytestuser@TESTRELM.TEST [8719] 1470629617.922387: Sending request (174 bytes) to TESTRELM.TEST [8719] 1470629617.922454: Resolving hostname ipamaster73kdc2.testrelm.test [8719] 1470629617.922666: Initiating TCP connection to stream 192.168.121.125:88 [8719] 1470629617.933601: Terminating TCP connection to stream 192.168.121.125:88 [8719] 1470629617.933625: Sending initial UDP request to dgram 192.168.121.125:88 kinit: Cannot contact any KDC for realm 'TESTRELM.TEST' while getting initial credentials On Server [root@ipamaster73kdc2 ~]# tail -f /var/log/httpd/error_log [Mon Aug 08 09:39:22.766065 2016] [:error] [pid 24448] Hostname ipamaster73kdc2.testrelm.test provided via SNI, but no hostname provided in HTTP request Version-Release number of selected component (if applicable): ipa-server-4.4.0-5.el7.x86_64 ipa-client-4.4.0-5.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Install IPA server 2. Enable KDCProxy in IPA server 3. Try to login as IPA user using IPA Client with kinit Actual results: Kinit fails to find KDC server due to mismatch is SNI and HTTP HOSTNAME header Expected results: kinit should be successful. Additional info: https://marc.info/?l=krb5-cvs&m=143300114416062&w=2 Similar to https://www.redhat.com/archives/pki-devel/2015-November/msg00029.html
I submitted a patch with TLS SNI support in https://github.com/krb5/krb5/commit/4b6045adb7a044cd7ddc3987da2f26bf8a5281fe. Back then I did not notice the problem because I tested against a mod_nss version without TLS SNI support. I was neither aware that mod_nss did not support SNI yet not that Apache requires a HTTP Host header for TLS requests with SNI. I have a submitted a patch to MIT KRB5: https://github.com/krb5/krb5/pull/507. The patch also added port number to Host header so name based and port based virtual hosting works with MS-KKDCP requests.
Created attachment 1189253 [details] Remove TLS SNI from MIT KRB5 The patch reverts https://github.com/tiran/krb5/commit/2d66309ef78aeff8df78c81a9d32c1a7e4857f63 and removes the call to SSL_set_tlsext_host_name(). Without the function call the Kerberos client no longer sends a TLS SNI extension in the TLS/SSL handshake for MS-KKDCP. This removes the root cause of the issue. The alternative patch is simpler and less risky than https://github.com/krb5/krb5/pull/507 because it just removes some code and doesn't introduce new code. We don't loose any functionality. Without the HTTP Host header TLS SNI is broken anyway.
PS: Attachment 1189253 [details] is a workaround until PR 507 has been reviewed and landed in upstream.
Patrick and I have confirmed that my patch https://github.com/krb5/krb5/pull/507 solves the issue on Fedora 24. A scratch build is available on koji http://koji.fedoraproject.org/koji/taskinfo?taskID=15189064
Thanks Christian!
Verified using IPA version :: ipa-server-4.4.0-7.el7.x86_64 There are no messages like 'Hostname <HOSTNAME> provided via SNI, but no hostname provided in HTTP request' in /var/log/httpd/error_log Attaching console.log. Marking BZ as verified.
Created attachment 1190030 [details] console.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2591.html